Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16341
HistoryMar 14, 2007 - 12:00 a.m.

n.runs-SA-2007.006 - PHProjekt 5.2.0 - Privilege escalation

2007-03-1400:00:00
vulners.com
17
JSON

n.runs AG
http://www.nruns.com/ security at nruns.com
n.runs-SA-2007.006 14-Mar-2007

Vendor: Mayflower GmbH, http://www.mayflower.de
Affected Products: PHProjekt 5.2.0
Vulnerability: Privilege escalation
Risk: HIGH

Vendor communication:

2006/12/31 initial notification of Mayflower
2007/01/02 Mayflower Response
2007/01/02 PGP keys exchange
2007/01/02 PoCs sent to Mayflower
2007/01/11 Mayflower confirmed the bugs
2007/01/30 Mayflower fixed the bugs and sends RC1
2007/01/30 n.runs informs Mayflower about a persisting XSS
vulnerability
2007/02/02 Mayflower confirmed the bug
2007/02/08 Mayflower fixed the bugs and sends RC2
2007/02/12 n.runs informs Mayflower about a persisting XSS
vulnerability
2007/02/15 Mayflower confirmed the bug
2007/02/20 Mayflower fixed the bug and sends RC3
2007/02/21 n.runs verifies RC3 and reported a possible flaw
within the new XSS protection library
2007/03/14 PHProjekt 5.2.1 available
2007/03/14 Coordinated disclosure

Overview:
Quoting http://www.phprojekt.com/features.php?&newlang=eng
"PHProjekt is a modular application for the coordination of group
activities and to share informations and document via the web.
Components of PHProjekt: Group calendar, project management, time card
system, file management, contact manager, mail client and many other
modules.
PHProjekt supports many protocols like ldap, xml/soap and webdav and
is available for 38 languages and 9 databases."

Description:
The vendor has been informed that every authenticated user can upload
any files, e.g., through the calendar or file management module.
With this privilege it is possible to upload PHP files with arbitrary
code, which can subsequently be instantly executed. This suggests a
privilege escalation is possible.

Solution:
The vulnerabilities were reported on Dec 31 2006 and an update has
been released on Mar 14 2007.

Credit:
Bugs found by Alexios Fakos of n.runs AG.

References:
http://www.nruns.com/security_advisory_phprojekt_privilege_escalation.php

Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
[email protected] for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded.
In no event shall n.runs be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if n.runs has been advised of the possibility of
such damages.

Copyright 2007 n.runs AG. All rights reserved. Terms of apply.

JSON